Skip to main content
HashnodeFPT Metrodata Indonesia Cyber SecurityFPT Metrodata Indonesia Cyber Security

Command Palette

Search for a command to run...

Golddigger malware distribution via fake Play Store phishing pages

Published
3 min read
Golddigger malware distribution via fake Play Store phishing pages
F
FPT Metrodata Indonesia

PT FPT Metrodata Indonesia (FMI) is a joint venture between FPT IS and Metrodata Electronics, focusing on providing Cybersecurity-as-a-Service—including SOC, managed security, professional services, consulting, and threat intelligence—to support Indonesia’s rapidly growing digital economy. FMI is expanding into AI and cloud GPU services to deliver innovative protection and solutions for enterprises. Learn more at https://fmisec.com.

S
Siti Rahmiati K.

Summary

CTM360 identified a large-scale scam campaign leveraging fraudulent Google Play Store download pages to distribute the GoldDigger (PlayPraetor) Banking Trojan malware. These meticulously crafted fake websites closely mimic the official Play Store, deceiving users into downloading seemingly legitimate applications. However, the APKs contain sophisticated malware designed to steal sensitive data, including banking credentials, clipboard activity, and keystrokes. Over 6,000 such fraudulent pages have been identified, highlighting the widespread and coordinated nature of the operation, which aims to compromise users globally.

Threat Actors register deceptive domains mimicking trusted entities, such as government agencies, to trick users into downloading malicious APKs. These Trojans, disguised as legitimate apps, request dangerous permissions like Accessibility access, enabling them to steal login credentials, monitor keystrokes, and capture clipboard data, including cryptocurrency addresses. The malware also targets banking apps by identifying installed applications and waiting for the right opportunity to steal credentials. Attackers distribute links to these fake Play Store pages via Meta Ads and SMS, using urgency tactics and trusted brand names to lure victims.

Technical Details

When executed, the malware displayed a login page prompting the user to enter their phone number and password for their M-Pajak account.

The malware specifically targets devices running Android versions 7.0 (SDK 24) to 13.0 (SDK 33). PlayPraetor connects to its C&C server at hxxps://ynadmwss[.]top:8081/device/getAllDeviceAppPackageSetting to retrieve a list of targeted banking and cryptocurrency wallet applications. This list includes key details such as the app ID, application name, package name, and disabled status.

After obtaining the list of targeted applications, the PlayPraetor malware scans the compromised device for their presence. It then transmits the application name, package name, and version number of each detected app to its C&C server at hxxps://ynadmwss[.]top:8081/device/saveAppList.

The malware may prompt the victim to enable the accessibility service, though this is not always the case. If the prompt appears and the victim enables the service, the malware exploits it to perform banking Trojan activities, prevent uninstallation, and grant auto-permissions, as illustrated below.

The malware continuously transmits data from the infected device to the C&C server at hxxps://ynadmwss[.]top:8081/device/addOrUpdateDevice. This includes details such as Accessibility service status (accessibilityEnabled), active app package name (currentApp), clipboard contents (clipText), time zone (userTimeZone), device information (phone brand, system version), battery and network status, screen resolution, location coordinates (latitude, longitude), and device ID. Notably, it persistently collects clipboard data, enabling attackers to capture sensitive information without requiring explicit permissions.

Recommendations

  • If possible, activate biometric security measures like fingerprint or facial recognition to unlock your mobile device.

  • Exercise caution when it comes to opening links received via SMS or emails on your phone.

  • Confirm that Google Play Protect is turned on for Android devices.

  • Be mindful when granting permissions.

  • Keep your devices, operating systems, and applications up to date.

Conclusion

GoldDigger is a highly sophisticated banking Trojan that exploits Accessibility services to steal sensitive data, monitor user activity, and evade detection. By continuously transmitting device and clipboard information to its C&C server, it enables attackers to compromise banking credentials, cryptocurrency wallets, and other personal data. Its large-scale distribution through fake Play Store pages highlights the growing threat of Android malware campaigns, emphasizing the need for heightened security awareness and cautious app installation practices.

#golddigger#malware#phishing#phishingattacks#google-play-store
4 views

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

F

FPT Metrodata Indonesia Cyber Security

683 posts

FPT Metrodata Indonesia (FMI) provides news, analysis & guides on cybersecurity and threat intelligence for Indonesia & Vietnam. Visit https://news.fmisec.com. FMI: https://fmisec.com